We have made the following changes to improve the handling of XML and JSON insertion points during scans: Improved handling of XML and JSON insertion points in Burp Scanner We have also improved the way the crawler interacts with forms on a page to better support modern single-page applications. Audit asynchronous traffic in Burp ScannerĪPI calls that are triggered by the crawler interacting with elements on the page will now be sent for audit.
We have also integrated additional out-of-band detection methods using Burp Collaborator. We have added payloads to the server-side template injection (SSTI) scan check to detect vulnerabilities in the following Java-based template engines: Improved scan check for server-side template injection
You can now select multiple rows and perform bulk operations on some of the tables in the Intruder configuration settings.You can use this to determine how long a session is kept alive between requests for example. This enables you to study how the target application's behavior changes as requests become more spread out. In the resource pool configuration, there is now an option for setting the delay between requests to an incremental value.When using the Grep - Match or Grep - Payloads options, the results table now contains a column displaying the number of matches found in the response rather than just a checkbox.This helps to increase the efficiency of your attacks as you can avoid sending redundant, duplicate requests when combining multiple wordlists for example. When configuring a list of payloads to send during your attack, you can now click the Deduplicate button to remove any duplicate entries.We have made the following improvements to Burp Intruder: To enable this behavior, first select the Allow HTTP/2 ALPN override option from the Repeater menu, then switch the protocol to HTTP/2 from the Inspector panel.
This allows you to manually explore additional "hidden" HTTP/2 attack surface. You can now send HTTP/2 requests from Burp Repeater even if the server doesn't explicitly advertise HTTP/2 support via ALPN. Manually test hidden HTTP/2 attack surface in Burp Repeater This release enables manual testing of hidden HTTP/2 attack surface and adds a number of improvements to Burp Intruder and Burp Scanner.
0 kommentar(er)
